From owner-freebsd-questions Tue May 2 02:09:28 1995 Return-Path: questions-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id CAA27042 for questions-outgoing; Tue, 2 May 1995 02:09:28 -0700 Received: from dtr.com (dtr.rain.com [204.119.8.19]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id CAA27032 for ; Tue, 2 May 1995 02:09:19 -0700 From: bmk@dtr.com Received: (from bmk@localhost) by dtr.com (8.6.11/8.6.9) id BAA25589 for questions@freebsd.org; Tue, 2 May 1995 01:59:10 -0700 Message-Id: <199505020859.BAA25589@dtr.com> Subject: ypserv & tcpd issues To: questions@FreeBSD.org Date: Tue, 2 May 1995 01:59:06 -0700 (PDT) Reply-To: bmk@dtr.com X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2597 Sender: questions-owner@FreeBSD.org Precedence: bulk I've recently added NIS support to my small network in anticipation of adding more hosts. Naturally, I'm concerned about the security implications, and was quite happy when I found that ypserv contains support for tcp_wrappers (tcpd). Unfortunately, I haven't been able to actually get it to work. :( The man page has this to say about tcpd support: | Security | ypserv has support for Wietse Venema's tcpwrapper package built in, | though it is not compiled in by default since the tcpwrapper package is | not distributed with FreeBSD. However, if you have libwrap.a and tcpd.h, | you can easily recompile ypserv with them, thereby enabling its 'se- | curenets' features: you can configure ypserv to only handle resquests | from machines listed in the tcpwrapper configuration files, which would | help limit vulnerability to the first limitation listed above. I was running tcpd 6.3, which doesn't have the required tcpd.h, so I upgraded to tcpd 7.0 - this went without a hitch. I linked tcpd.h to the ypserv source directory and modified the makefile as follows: |CFLAGS+=-Wall -DTCP_WRAPPER=1 -DTCPW_FACILITY=LOG_AUTH |CFLAGS+=-DINSTDIR='"/usr/sbin"' -L/usr/local/lib -lwrap Running make results in the following: root (100) % make cc -O2 -Wall -DTCP_WRAPPER=1 -DTCPW_FACILITY=LOG_AUTH -DINSTDIR='"/usr/sbin"' -L/usr/local/lib -lwrap -c dnslookup.c cc: -lwrap: linker input file unused since linking not done cc -O2 -Wall -DTCP_WRAPPER=1 -DTCPW_FACILITY=LOG_AUTH -DINSTDIR='"/usr/sbin"' -L/usr/local/lib -lwrap -c yp_svc.c cc: -lwrap: linker input file unused since linking not done cc -O2 -Wall -DTCP_WRAPPER=1 -DTCPW_FACILITY=LOG_AUTH -DINSTDIR='"/usr/sbin"' -L/usr/local/lib -lwrap -c yp_xdr.c cc: -lwrap: linker input file unused since linking not done cc -O2 -Wall -DTCP_WRAPPER=1 -DTCPW_FACILITY=LOG_AUTH -DINSTDIR='"/usr/sbin"' -L/usr/local/lib -lwrap -c server.c cc: -lwrap: linker input file unused since linking not done cc -O2 -Wall -DTCP_WRAPPER=1 -DTCPW_FACILITY=LOG_AUTH -DINSTDIR='"/usr/sbin"' -L/usr/local/lib -lwrap -o ypserv dnslookup.o yp_svc.o yp_xdr.o server.o server.o: Undefined symbol `_hosts_ctl' referenced from text segment *** Error code 1 The most obvious question I have is why am I getting the 'Undefined symbol' error - the hosts_ctl function seems to exist in libwrap.a. The second question relates to my Makefile changes - I know that they're less than optimal. Obviously, the '-L/usr/local/lib -lwrap' portion should only get used at link time - is there a makefile directive to add link-only options?